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WE CLAIM: 

1 . A method for distributed network address translation with ^curity, comprising the 
following steps: 

requesting from a first network device on a first computer network with a first protocol, 
one or more locally unique security values from a second network device on the first computer 
network to uniquely identify the first network device during secure communications with a third 
network device on as§econd external network and for distributed network address translation with 
security; 

receiving the one oKinore locally unique security values on the first network device from 
the second network device witlrtfie first protocol; and 

storing the one or more locally unique security values on the first network device, 
wherein the one or more locally unique\ecurity values are used to create a secure virtual 
connection for secure communications witftythe third network device and for distributed network 
address translation. 



20 



2. A computer readable medium having stored therein instructions for causing a central 
processing unit to execute the Method of Claim 1 . 

3. The method of Claim 1 wherein the second net\^prk device is a distributed network 
address translation router. 
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4. The method of Claim 1 wherein the one or more locally unique security values are one 
or mote security parameter indexes for an Internet Protocol security protocol. 

5. TShe method of Claim 4 wherein the Internet Protocol security protocol is any of an 
Authentication\Header protocol, Encapsulated Security Payload protocol or an Internet Key 
Exchange protocc 



6. The method o^Claim 1 wherein the first protocol is a Port Allocation Protocol. 



4f 10 7. The method of Claifri 1 wherein the requesting step further includes requesting one or 

?/{ more locally unique ports used to uniquely identify the first network device on the first network 

2 for distributed network address translation. 

oi \ 

s 

O 8. The method of Claim 1 wherein theylocally unique ports are Port Allocation Protocol 

NM5 ports. 
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9. A method for distributed network address translation with security, comprising the 
following steps: 

receiving a request message with a first protocol on A second network device for one or 
more locally unique security values from a first network device:; 

allocating one of more locally unique security values on the second network device; 
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storing a network address for the first network device with the one or more locally unique 
security\yalues in a table associated with the second network device, wherein the table is used to 
maintain a\mapping between a network device and one or more locally unique security values for 
distributed network address translation; and 

sending the one or more locally unique security values in a response message with the 
first protocol to the i5rst network device. 



n 
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10. A computer readable medium having stored therein instructions for causing a central 
processing unit to execute the method of Claim 9. 

1 1 . The method of Claim 9 wherein the second network device a distributed network 
address translation router. 



f 5 12. The method of Claim 9 wherein the ohe or more locally unique security values 

.1 15 include one or more security parameter indexes for all Internet Protocol Security Protocol 

13. The method of Claim 10 wherein the Internet Protocol security protocol is any of an 
Authentication Header protocol, Encapsulated Security Paylo^d protocol or an Internet Key 
Exchange protocol. 
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14. A method for distributed network address translation using security, comprising the 
following steps: 
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receiving a first message in a second secure protocol on a first network device on a first 
network to establish a secure virtual connection to the first network device from a third network 
device on a second external network; 

selecting a^locally unique security value to use for the secure virtual connection from a 
list of locally uniquk security values, wherein the list of locally unique security values was 
received from a secono\network device on the first network with a first protocol; and 

sending a second message with second secure protocol to establish a secure virtual 
connection to the first network device on the first network from the third network device on the 
second external network wherein\the second message includes the selected locally unique 
,7j 10 security value and security certificate sent to the first network device by the second network 
\i device. 



ffi 
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15. A computer readable medium haYing stored therein instructions for causing a central 
processing unit to execute the method of Claim\14. 

16. The method of Claim 14 wherein the lisKof one or more locally unique security 
values is a list of one or more security parameter inderes for Internet Protocol security protocol. 



17. The method of Claim 14 wherein the Internet Protocol security protocol is any of an 
20 Authentication Header protocol, Encapsulated Security Paylo^d protocol, or an Internet Key 
Exchange Protocol. 
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\18. The method of Claim 14 wherein the first protocol is a Port Allocation Protocol and 
the seconcl secure protocol is an Internet Protocol security protocol. 




19. TheNnethod of Claim 14 wherein the secure virtual connection is an Internet Protocol 
5 security protocol security association. 



20. A method for distributed network address translation with security, comprising the 
following steps: 

sending a request message^n a second secure protocol from a first network device on a 
^ 10 first network to a second network device on the first network, wherein the request message in the 
Lj second secure protocol includes security information; 

yj routing the request message from the second network device to a third network device on 

SJ a second external network over a secure virtual cojinection between the first network device and 
O the third network device; 

jj ; jj 
.S-S-5 

ft 15 receiving a reply message in the second secure Wotocol from the third network device on 

/2 the second network device on the first network for the firsrspetwork device, wherein the reply 
message in the second secure protocol includes security information from the request message 
allocated by the second network device; and 

routing the reply message from the second network deviceVo the first network device on 
20 the first network using the locally unique ports used for distributed network address translation. 
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21. A computer readable medium having stored therein instructions for causing a central 
processing unit to execute the method of Claim 20. 




22. Tf^e method of Claim 20 wherein the step of sending a request message in a second 
secure protocol \ncludes: 

constructing a virtual tunnel header for a local network address determined for the second 
network device; 

prepending the victual tunnel header to the request message, wherein the virtual tunnel 
header is used to create a vnjual tunnel between the first network device and the second network 

3 

a 10 device; 

y 

\J sending the request message to the second network device from the first network device 

O over the virtual tunnel. 



H 15 
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23. The method of Claim 20 wherein the step of routing the reply from the second 
network device to the first network device on the first network using the locally unique port from 
the reply in the second secure protocol includes: 

determining a local network address for the first network device using the locally unique 
port associated with the second network device; 

constructing a virtual tunnel header for the determined local network address for the first 
network device; 
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prepending the virtual tunnel header to the reply message, wherein the virtual tunnel 
header\s used to create a virtual tunnel between the second network device and the first network 
device; 

forwarding the reply message to the first network device from the second network device 
5 over the virtual mnnel. 



10 



24. The method oiSClaim 20 wherein the local network address is an Internet Protocol 
address and the virtual tunnemeader is an Internet Protocol tunnel header. 

25. The method of Claim 20\wherein the first protocol is a Port Allocation Protocol and 
the second secure protocol is Internet Protocol security protocol. 



26. The method of Claim 20 wherein thbJnternet Protocol security protocol is any of an 
L l 15 Authentication Header protocol, Encapsulated Security Payload protocol, or an Internet Key 
Exchange protocol. 
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27. The method of Claim 20 wherein the security infoVpiation includes any of a locally 
unique security value or a security certificate. 
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28. A method for distributed network address translation with security, comprising the 
following steps: 

requesting one or more locally unique ports with a first message from a first protocol on a 
first network device from a second network device, wherein the one or more locally unique ports 
A are used for distributed network address translation; 
* requesting oAe or more locally unique security values with a first message from the first 

protocol from the second network device, wherein the one or more locally unique security values 
are used with a second secure protocol to establish a secure virtual connection between the first 
network device and a third network device on a second external computer network and are used 
I 10 for distributed network address translation with security; 

requesting a security certificate on the first network device from the second network 
device, wherein the security certificate incudes a binding between a public encryption key and a 
combination of a network address for the first network device and the one or more locally unique 
ports and the second network device provides lo^al security certificate services. 

15 

29. A computer readable medium having stord^i therein instructions for causing a central 
processing unit to execute the method of Claim 28. 

30. The method of Claim 28 wherein the one or mom locally unique security values are 
20 security parameter indexes from an Internet Protocol security protocol. 
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! 1 . The method of Claim 28 wherein the second network device is a distributed network 
address translation router. 

32. Tire method of Claim 28 further comprising: 

5 establishing a secure virtual connection between the first network device and the third 

network device on the second external network using the security certificate. 

33. The method of Claim 32, wherein the secure virtual connection is an Internet 
Protocol security protocol security association. 



10 
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34. A method for distributed network address translation with security features 
comprising the following steps: 

sending one or more locally unickie ports allocated on a second network device on a first 
computer network to a first network devic&on the first computer network with a second message 
from a first protocol wherein the one ul more\|ocally unique ports are used for distributed 
network address translator; 

sending one or more locally unique security values allocated on the second network 
device to the first network device with a second message from the first protocol wherein the one 
or more locally unique security values are used with a second secure protocol to establish a 
secure virtual connection between the first network devica and a third network device on a 
second external computer network and are used for distributed network address translation with 
security; 
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sending a security certificate created on the second network device to the first network 
device, wherein the second network device provides local security certificate services on the first 
computer network and wherein the security certificate includes a binding for a public encryption 
key for the fiVst network device and a combination of a network address for the first network 
device and the (mc or more locally unique ports allocated to the first network device to 
authenticate an identity for the first network device for a secure virtual connection between the 
first network device and a third network device on a second external computer network. 

35. A computer Readable medium having stored therein instructions for causing a central 
10 processing unit to execute me method of Claim 34. 



36. A system for distributed network address translation with security, comprising in 
combination: 

a routing network device for altocating one or more locally unique ports, one or more 
W 15 locally unique security values and securit\certificates used for distributed network address 
f! translation with security for a plurality of oth\r network devices, wherein the second network 
device provides local security certificate service!^ and routing services for distributed network 
address translation with security; 

a network address table associated with the rotating network device for mapping one or 
20 more locally unique security values to a network address for a network device; and 

a security certificate for binding a public encryption key for a network device and a 
combination of a network address for the network device and one or more locally unique ports 
allocated to first network device by the routing network device to authenticate an identity for the 
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network device for a secure virtual connection with external network device on an external 
computer network, wherein the security certificate is issued by a second network device 
providing locaP^ecurity certificate services for distributed network address translation with 
security. \ 

37. The system of Clama 36 wherein the routing network device is distributed network 
address translation router. \. 

38. The system of Claim 36 wherein throne or more locally unique security values are 
10 one or more security parameter indexes for an Internet Protocol security protocol. 

dj 39. The system of Claim 36 wherein the secure virtual connection is an Internet Protocol 

Nl security protocol security association. \ 

si \ 
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